Traceability Documentation Overview
VEX Reports
VEX is the standard for communicating supply-chain information about software vulnerabilities. Understanding what it is, how to use it correctly, and what Torizon provides makes vulnerability management much easier.
SBOM Reports
SBOMs are important records of information within software supply chains, similar to a parts list for software. In general, their purpose is to provide insights into the composition of a software product. At a basic level, an SBOM is just a list of all the components and dependencies that are part of a software system. This article describes the different types of SBOMs we produce, where to find them, and what they are used for.
In-Toto Attestations
In-toto attestations are cryptographically signed records of the Torizon OS build process, capturing every step of the supply chain — learn how they strengthen trust, reduce security blind spots, and simplify compliance efforts (e.g., SBOM/VEX, SLSA).